Long favoured by Australian PM, Wickr could become his decryption Waterloo

Long favoured by Australian PM, Wickr could become his decryption Waterloo

EFF rates Wickr among the Internet’s strongest proponents of transparency and reform around government data requests

Once lauded by prime minister Malcolm Turnbull as a paragon of secure communications, encrypted-messaging app Wickr could turn out to be one of the biggest opponents to his government’s new legislative push to force technology companies to divulge users’ encrypted communications.

Turnbull is a longtime user of Wickr who – just six months before he led a September 2015 revolt against then-prime minister Tony Abbott that was likely to have been organised using the app – went on record as using Wickr instead of SMS because SMS messages “are not encrypted in transit and they’re not encrypted on the telco’s server... and reside there even after they’ve been deleted”.

Downloads of Wickr [[xref:https://www.businessinsider.com.au/wickr-downloads-have-increased-700-since-malcolm-turnbull-said-he-uses-it-2015-11 |increased by 700 percent after Turnbull’s claim. Yet the company behind the popular app now sits at the vanguard of the movement against exactly the kind of surveillance that Turnbull is now advocating.

Wickr was among the most highly-ranked online companies examined in the Electronic Frontier Foundation (EFF)’s latest Who Has your Back? report into technology companies’ protection of users in a climate of increasing government data requests.

Released a fortnight ago, the company’s latest transparency report noted that “the messages we secure will never be outwardly visible” and that the company would only ever provide “non-content information describing an account”.

“Our system is designed to protect our users’ privacy such that we never have access to our users’ decrypted message content so we can’t pass it on to anyone else,” the report says, noting that in the first half of 2017 the company’s users had been the subject of 2 search warrants pertaining to 5 users; 35 subpoenas relating to 81 users; and 6 non-US requests pertaining to 12 users.

EFF’s annual report assesses companies’ histories of exposing government data requests on five categories – which include following industry-wide best practices, telling users about government data requests, promising not to “sell out users”, standing up to National Security Letter (NSL) gag orders, and pursuing “pro-user public policy” by fighting to reform the enabling Section 702 legislation.

Wickr was flagged as complying in all five areas – joining Adobe, Credo Mobile, Dropbox, Lyft, Pinterest, Sonic, Uber, and WordPress.com as the only 9 firms to do so out of 26 examined. Those nine companies have proven themselves most resistant to rolling over for US government requests for their users’ data, which means that Wickr is likely to be one of the loudest opponents of Turnbull’s policy – which will attempt to force online companies to help law-enforcement authorities view even encrypted messages.

Turnbull’s recent statement that "The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia” has been lambasted worldwide as showing the Australian government’s ignorance about the functioning of the same encryption algorithms that are used to secure all manner of online communications – not to mention government secrets.

But EFF Australia senior global policy analyst Jeremy Malcolm, for one, has warned against writing off Turnbull’s statement just because of the “well-deserved mockery” that it has attracted. The mooted policy “would hurt ordinary citizens who rely on encryption to make sure that their conversations are secure and private from prying eyes,” Malcolm wrote in a recent blog.

Over time, however, network effects could create a problematic situation for privacy as “more and more app developers might fall under national laws that require them to compromise their encryption standards,” Malcolm wrote. Russia and the United Kingdom have already passed similar laws, he notes, and other countries are expected to follow as governments reassess privacy principles recently espoused in Australia’s recently-revised Privacy Act, upcoming Notifiable Data Breach scheme, or the European Union’s upcoming General Data Protection Regulation (GDPR).

Cook’s public statement – that the FBI had asked Apple to make “the software equivalent of cancer” – doesn’t bode well for Brandis’ changes of convincing Apple to go along with the Australian government’s wishes any time soon. Nor does Apple’s four-star rating on the EFF scale: the company was passed in every EFF category except for support for Section 702 Reform.

Resistance to the Australian government proposal is coalescing as privacy advocates rail against what is being seen as an autocratic and largely unworkable proposal to decrypt communications in real time. A recent statement from the Greens said that Turnbull’s policy reveals a “Brandis-esque level of digital illiteracy across the entire government” and has been informed by Hollywood portrayals of hacking more than technical reality.

Turnbull has cited claims by the UK’s GCHQ that real-time decryption is possible, but so far industry consensus has failed to support this.

Breaking into encrypted messaging apps would also expose the current government to accusations of rank hypocrisy: Turnbull’s comments on Wickr came just months before his carefully-organised spill against then-prime minister Tony Abbott. More recently, recent revelations by Crikey suggested that Turnbull’s use of Wickr with Kevin Rudd – to discuss Rudd’s potential United Nations appointment – had seen the messages go missing.

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.